[Dovecot] Kerberos GSSAPI - proper item name in keytab

David Warden warden at geneseo.edu
Thu Sep 1 14:50:33 EEST 2011


On Aug 31, 2011, at 4:39 PM, Jason Gunthorpe wrote:

> On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:
> 
>> I have only followed part of this. It the original poster's problem is
>> that the LDAP database is not being able to be accessed with an SPN
>> ticket, this is because SPNs are not allowed to log in in AD. You need
>> to use a user account (including MACHINE$ accounts). It took me forever
>> to figure this out. To use this, you need a cron job that creates/renews
>> tickets from time to time for the user/machine account. Then you use
>> Dovecot's environment setup configuration to set the KRB5_CC (or
>> whatever it is called, my head is elsewhere) env variable to that
>> Kerberos ticket cache that was created in the cronjob. This cache needs
>> to be readable by dovecot and should be owned by its user.
> 
> This all works a 1000% better if you use Samba to join the domain and
> create your keytab with the right SPNs. See my prior posts to this
> list for a formula. Using the MS kerberos compatability tools is
> painful, complicated and tends to make a mess.
> 
> Samba will create a machine UPN and populate the system keytab
> appropriately. From a cron job you can use 'kinit -k' to maintain an
> active ticket for the machine UPN which dovecot can use for LDAP
> operations.
> 
I would agree with that is easier unless/until you are load balancing connections on a single hostname to multiple physical machines. In that scenario you can't add SPNs for the shared hostname to the machine accounts (since SPNs must be unique) and you're still looking at futzing with ktpass.
> Jason



More information about the dovecot mailing list